[
https://issues.apache.org/jira/browse/CAMEL-23762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18089177#comment-18089177
]
Andrea Cosentino commented on CAMEL-23762:
------------------------------------------
PR: https://github.com/apache/camel/pull/24034
Planned backports to camel-4.18.x (4.18.3) and camel-4.14.x (4.14.8).
_Claude Code on behalf of Andrea Cosentino_
> camel-whatsapp: support X-Hub-Signature-256 verification of inbound webhook
> payloads
> ------------------------------------------------------------------------------------
>
> Key: CAMEL-23762
> URL: https://issues.apache.org/jira/browse/CAMEL-23762
> Project: Camel
> Issue Type: Improvement
> Reporter: Andrea Cosentino
> Assignee: Andrea Cosentino
> Priority: Major
> Fix For: 4.14.8, 4.18.3, 4.21.0
>
>
> The camel-whatsapp webhook consumer forwards inbound event callbacks to the
> route without verifying their authenticity. WhatsApp/Meta signs event
> payloads with an X-Hub-Signature-256 HMAC-SHA256 header keyed by the app
> secret. This adds a webhookSecret option; when configured, inbound event
> callbacks whose X-Hub-Signature-256 signature is missing or does not match
> are rejected with HTTP 403. When the option is not set, behaviour is
> unchanged. This mirrors the signature verification already provided by
> camel-clickup.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
